A utility leveraging Windows 10+ mechanisms to intercept process creation by registering a debugger in the system registry.

HiJack.exe /list
HiJack.exe /add <File Name> [Flags]
HiJack.exe /remove <File Name> [Flags]

0x1 - Unload the library immediately after calling DllMain.
0x2 - Enable LDR linking.

To intercept a process, such as hello.exe, execute the following command:

HiJack.exe /add hello.exe

This will enable HiJack to intercept the process creation of hello.exe and inject the library <File Name>_hijack.dll (e.g., hello_hijack.dll or hello_hijack32.dll if the process is 32-bit). The DLL must be located in the same directory as the intercepted executable.

• Ensure that you use the appropriate version of HiJack:
  • Use the 32-bit version for 32-bit processes.
  • Use the 64-bit version for 64-bit processes.
• The 32-bit version of HiJack can utilize the 64-bit version if both executables are placed in the same directory.
• The 64-bit version of HiJack can utilize the 32-bit version if both executables are placed in the same directory.
• The NTDLL project is a DLL that can be used as an example for injection.